CVE-2024-10124

Name of the Vulnerable Software and Affected Versions Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress versions up to, and including, 1.1.1

Description The issue arises from a missing capability check on the tp install() function, allowing unauthenticated attackers to install and activate arbitrary plugins. This can lead to remote code execution if another vulnerable plugin is installed and activated. The vulnerability was partially patched in version 1.1.1.

Recommendations For versions up to, and including, 1.1.1, consider updating to a version that fully addresses the vulnerability, as version 1.1.1 only partially patches the issue. As a temporary workaround, consider disabling the tp install() function until a fully patched version is available. Restrict access to plugin installation and activation features to minimize the risk of exploitation.